Comments (22)
Hi @iam-veeramalla, I confirm it works.
On my side, the SSO is working correctly on a OKD 4.7.
As @davidkarlsen said, there is no way to access the doc describing the procedure.
Thanks,
Yes, This doc is not available public-ally, My bad for sharing this. Sharing the steps below that are mentioned in the docs.
Set DISABLE_DEX env variable to false. Example shown below.
spec:
config:
env:
- name: DISABLE_DEX
Value: "false"
You can enable RBAC on argo-cd by following the instructions provided in the argo-cd RBAC Configuration. Example RBAC configuration looks like this.
spec:
dex:
openShiftOAuth: true
rbac:
defaultPolicy: 'role:readonly'
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
from gitops-operator.
This works for me on a OSD 4.7 cluster, enables both real TLS (using the cluster route's default wildcard cert) and SSO to openshift
$ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEX","Value":"false"}]}}}'
$ oc patch argocd openshift-gitops -n openshift-gitops --type=merge -p='{"spec":{"dex":{"openShiftOAuth":true},"rbac":{"defaultPolicy":"role:readonly","policy":"g, system:cluster-admins, role:admin","scopes":"[groups]"}}}'
$ oc patch argocd openshift-gitops -n openshift-gitops --type=merge -p='{"spec":{"server":{"insecure":true,"route":{"enabled":true,"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}}}'
from gitops-operator.
Hi @pbriet ,
Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.
spec:
config:
env:
- name: DISABLE_DEX
Value: "false"
A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza
from gitops-operator.
The DISABLE_DEX env variable, is that in the argoCD-resource?
No, it's for the operator deployment.
so in the kind: CatalogSource?
@fredcb its is in the subscription resource
openshift-operators -> subscriptions -> openshift-gitops-operator "edit subscription"
spec:
...
config:
env:
- name: DISABLE_DEX
value: 'false'
....
from gitops-operator.
^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected.
from gitops-operator.
As far as I have learned from Redhat the dex server and integration with OpenShift oauth is no longer supported. They suggest using Keycloak instead. So far a lot less user friendly experience
…
On Mon, 19 Jul 2021 at 14:12, Elytscha @.***> wrote: ^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected. indeed, with those 3 patch commands the first time user experience is a lot better! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#76 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5T64W62JSDJEF647ME4FTTYQJC5ANCNFSM4ZAS4CJQ .
i know, but sounds to complicated to run a tool (keycloak or redhat sso) which no one at the company knows.
'ain't nobody got time for that'
it sounds not so complicated to use the already existent openshift oauth
from gitops-operator.
Hi @pbriet ,
Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.
spec: config: env: - name: DISABLE_DEX Value: "false"
A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza
That document is not available publicly. I requested access.
from gitops-operator.
Hi @pbriet ,
Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.
spec: config: env: - name: DISABLE_DEX Value: "false"
A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza
@pbriet did this work for you ?
from gitops-operator.
It works (i.e. dex will be deployed) when enabling that flag on the operator. However SSO with the built-in OCP oauth fails after a timeout. And also dex is affected by #92
from gitops-operator.
The docs you refer to are still closed, so they are useless.
from gitops-operator.
Hi @iam-veeramalla, I confirm it works.
On my side, the SSO is working correctly on a OKD 4.7.
As @davidkarlsen said, there is no way to access the doc describing the procedure.
Thanks,
from gitops-operator.
The DISABLE_DEX env variable, is that in the argoCD-resource?
from gitops-operator.
The DISABLE_DEX env variable, is that in the argoCD-resource?
No, it's for the operator deployment.
from gitops-operator.
The DISABLE_DEX env variable, is that in the argoCD-resource?
No, it's for the operator deployment.
so in the kind: CatalogSource?
from gitops-operator.
The DISABLE_DEX env variable, is that in the argoCD-resource?
No, it's for the operator deployment.
so in the kind: CatalogSource?
@fredcb its is in the subscription resource
from gitops-operator.
@davidkarlsen Thanks for the very clear answer :-). I been working only with argocd's operator so far, so I wasn't aware you had another resource type in this one.
from gitops-operator.
Can we add toggles to the argocd CR to allow the users to do the following:
- enable dex
- sub-option is to enable SSO with openshift
from gitops-operator.
It would be great,if the configuration of the subscription would be documented anywhere. I'm a cluster-admin and was wondering why my Argo CD deployed with the GitOps Operator doesn't work. Perhaps there are other config issues, that will appear, when I try to configure other things in Argo CD??? I'm coming from the Argo CD community operator and woud like to take my configurations to the GitOps Operator....
from gitops-operator.
^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected.
indeed, with those 3 patch commands the first time user experience is a lot better!
from gitops-operator.
from gitops-operator.
for info, redhat "solution"
https://access.redhat.com/solutions/6131481
is indeed to tell you they don't support dex.
from gitops-operator.
From v1.3.0 version of OpenShift-GitOps we support Dex OpenShift Connector. Dex is installed by default and can be configured for "Login With OpenShift" by adding .spec.dex.openShiftOAuth: true
to the Argo CD Spec.
Please feel free to reopen the issue, if you still see this after upgrading to v1.3.0.
from gitops-operator.
Related Issues (20)
- Add support for progressive delivery using Argo Rollouts
- RBAC Error to reconciler controller.argo HOT 2
- Default Github.com RSA key no longer matches upstream, causing errors HOT 3
- Enable ignored e2e tests
- Fix Kam Image reconcliation during upgrades HOT 1
- Add Siddhesh Ghadi as Reviewer on all the Supported branches
- NodePlacement or Toleration/NodeSelector not working HOT 1
- Operator stuck on 1.7.2 and can't upgrade it HOT 14
- Server ingress not setting `ingressClassName` once ArgoCD instance gets updated with the field HOT 1
- (Extra)VolumeMount for appset controller
- Cant install operator 1.10.1 on OKD 4.14 HOT 1
- ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert HOT 1
- resource.customizations.ignoreDifferences doesn't save configuration
- Resource requests for default instance are excessive for small use cases
- Diffs not being detected
- Allow Volumes/VolumeMounts to pass through to the Deployment HOT 3
- Can't set any Proxy for SCMProvider Generator in my ApplicationSet
- ApplicationSets CRD cannot be watched / listed by argocd-server SA HOT 1
- Adding cluster via ArgoCD CLI HOT 2
- Ignore differences when using the catalog source image template annotation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitops-operator.